search

uselagoon / lagoon

Lagoon, the developer-focused application delivery platform
https://docs.lagoon.sh/
Apache License 2.0
567 stars 149 forks source link

Assess secret storage systems for Lagoon #469

Open kurtfoster opened 6 years ago

kurtfoster commented 6 years ago

Currently it's not possible to store secret environment variables across an entire OpenShift project. Each new environment that is created for a new PR or branch needs to have ENV vars set manually in the deployment. Could we move to Vault to manage this instead of env?

Based on some investigations in our project, the following steps outline what may be needed to achieve a production level integration of Vault.

Install Consul.

** https://github.com/kubernetes/charts/tree/master/stable/consul

Install Vault.

** https://github.com/kubernetes/charts/tree/master/incubator/vault

Install the Goldfish Vault Web UI.

** https://github.com/kubernetes/charts/tree/master/incubator/goldfish
** https://github.com/Caiyeon/goldfish

Configure the Vault Kubernetes Auth Backend.

** https://www.vaultproject.io/docs/auth/kubernetes.html
** This will allow Kubernetes service accounts to authenticate to Vault.

For each application that is to use Vault stored secrets.

** Create a `ConfigMap` with a file defining the secrets to be consumed.
** Change the Dockerfile ENTRYPOINT for the workload so that `vaultenv` is used to fetch the secrets from Vault and store them in environment variables.
** https://github.com/channable/vaultenv
** The section “Exposing Secrets to Applications” from this article goes into more detail about using `vaultenv` - https://www.elastic.co/blog/kubernetes-vault-integration-devops-team
Schnitzel commented 6 years ago

Thanks for this @kurtfoster There is also #65 which covers another idea of this.

Will definitely look into Vault and check how we can use that in a PaaS enviornment where multiple clients need access to the Vault but should not have access to each others Secrets

markxtji commented 6 years ago

it looks to me that git-secret is something worth consideration.

http://git-secret.io/

Schnitzel commented 6 years ago

Had a meeting today with @thom8 and @markxtji

We discussed a couple of ideas, and the current working idea is: vault

  1. deploy a development vault into the OpenShift Cluster via helm/tiller (already done in our test environment)
  2. access vault via local and the UI (already done in test environment)
  3. Find out how the individual openshift projects can authenticate their Kubernetes Service Account against Vault (see https://www.vaultproject.io/docs/auth/kubernetes.html#configuration)
  4. How to extract vault secrets as environment variables (maybe https://github.com/channable/vaultenv ?)

with this setup we should be able to save secrets via the vault local CLI and load them inside containers, this would not really be a multi-tenant system or so, but a good start

Future things to implement:

nicksantamaria commented 6 years ago

I would recommend looking at the CoreOS vault operator - https://github.com/coreos/vault-operator

This way you could have your helm charts include a vault resource, and with RBAC rules and service accounts you could have isolation of vaults to their particular environment.

Unsealing is still a bit of a pain, but I've seen a lot recommendations to use https://github.com/jetstack/vault-unsealer on hn.

Schnitzel commented 6 years ago

As discussing with another client, we could also use Keycloak for secrets management?

ocean commented 5 years ago

Hi Michael, has there been any further progress on this secrets storage system?

fubarhouse commented 5 years ago

We're also interested in a supported solution.

Opswatch commented 4 years ago

This might be interesting for you https://github.com/banzaicloud/bank-vaults

Schnitzel commented 4 years ago

This might be interesting for you https://github.com/banzaicloud/bank-vaults

thanks @Opswatch ! will have a look :)

Schnitzel commented 3 years ago

we talked about this again during lagoon tech sync:

anothertobi commented 6 months ago

Vault might no longer be a good fit for Lagoon due to the license changes that happened. Building this directly in Lagoon would be an option that solves this.